On 2016-09-29 1:00 PM, Brian Wolff wrote:
Personally, my preferred solution [0] [I might be biased in evaluating them] would be to base the CSRF token on a session cookie if one exists. If one does not exist, use a HMAC of the users IP addressed, keyed using a server side secret (The only state an Anon has is what IP address it is, so this should be safe). This way it will work for users without cookies (Maybe none exist, but I like the idea you can edit wikipedia without cookies) and for users who have rapidly changing IPs. It will also have minimal breakage, as you won't have to adjust any existing usages of tokens (For example, on special pages).
Users with a rapidly changing IP will get an invalid csrf warning page before they get the session cookie they need in order to edit.
Krinkle's suggestion of having JS initiate the POST after fetching the edit token and initiating the session was an ingenious method of eliminating that notice for those users.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]